A group of North Korean hackers is engaged in a massive campaign targeting U.S. financial institutions and cryptocurrency exchanges around the world — with U.S. authorities warning of the high level of threat it poses to the country.

According to an alert issued by the U.S. Department of Homeland Security (DHS), agencies including the FBI, the U.S. Cyber Command, and the Department of the Treasury are moinotiring the resurgence of the North Korea-sponsored hacking group, BeagleBoyz.

The hackers have not been as active in the last few years as the notorious Lazarus Group – another hacking group from the hermit regime. However, they are reportedly responsible for stealing $2 billion since at least 2015, mostly related to “lucrative cryptocurrency thefts,” said the U.S. DHS.

The group appears to have restructured its team earlier this year, according to the latest findings, and have developed new “irreversible methods of theft” to target crypto exchanges.

Malware that the BeagleBoyz plan to use includes COPPERHEDGE – a remote access tool employed by sophisticated threat groups to target crypto exchanges. The tool can run commands on compromised systems and exfiltrate stolen data.

Speaking with Cointelegraph, Erich Kron, security awareness advocate at cybersecurity firm KnowBe4, said the group was well organized and targeted ATMs as well as exchanges.

“The ATM cash out schemes are interesting, as they are often well organized and can include many accomplices around the world working together to make large withdrawals simultaneously,” he said. In contrast, delivering malware to exchanges was usually pretty basic he said:

“The use of phishing emails and LinkedIn connections demonstrate how the initial attacks are often done using low-tech social engineering schemes, then move into more high-tech techniques once in the network.”

According to a report released by the Finnish cybersecurity and privacy firm, F-Secure, the latest Lazarus Group attack was made through a crypto-related job advert on LinkedIn.

Their investigation indicated that an individual working in the blockchain space received a phishing message that mimicked a legitimate blockchain job listing.